Pull request 180: AG-25266 encryption

Merge in GO/adguard-home-wiki from AG-25266-encryption to master

Squashed commit of the following:

commit 92928fc7a07b529d3ae31ea648cdcc62fdfe4691
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Aug 29 20:17:37 2023 +0300

    all: imp fmt, add hdrs

commit 7445bd8d5af34d394803f7b5b90d1e271826848a
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Aug 29 19:50:53 2023 +0300

    Envryption: fix copies

commit 7008320fa75ec27fe5cd506fce7f7d00d1ab1bf3
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Aug 29 19:48:27 2023 +0300

    all: add hsts example
Eugene Burkov 2023-08-29 20:21:48 +03:00
parent 83a59f6bf8
commit b3490ee566
4 changed files with 40 additions and 18 deletions

@ -214,7 +214,7 @@ your machine:
the `/etc/systemd/resolved.conf.d` directory if needed) and add the
following content to it:
```none
```service
[Resolve]
DNS=127.0.0.1
DNSStubListener=no

@ -17,13 +17,14 @@ AdGuard Home.
1. [Install AdGuard Home on your server](#install)
1. [Register a domain name](#register)
1. [Get an SSL certificate](#certificate)
* [Install CertBot](#certbot)
* [Using CertBot](#certbot)
* [Get a certificate using DNS challenge](#certbot-dnschallenge)
* [Alternative to CertBot: Lego](#lego)
* [Using Lego](#lego)
1. [Configure AdGuard Home](#configure-home)
1. [Using with reverse proxy](#reverse-proxy)
* [Nginx](#nginx)
* [Cloudflare CDN](#cf-cdn)
* [Other Headers](#other-hdrs)
1. [Configure your devices](#configure-devices)
* [Android](#android)
* [iOS](#ios)
@ -80,7 +81,7 @@ Security Research Group (ISRG).
In this guide I'll explain how to get a certificate from them.
### <a href="#certbot" id="certbot" name="certbot">Install CertBot</a>
### <a href="#certbot" id="certbot" name="certbot">Using CertBot</a>
Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt.
@ -89,7 +90,7 @@ Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt
1. Follow the installation instructions, and stop there don't get to the "Get
Started" section.
### <a href="#certbot-dnschallenge" id="certbot-dnschallenge" name="certbot-dnschallenge">Get a certificate using DNS challenge</a>
#### <a href="#certbot-dnschallenge" id="certbot-dnschallenge" name="certbot-dnschallenge">Get a certificate using DNS challenge</a>
You have just got a domain name so I suppose using DNS challenge will be the
easiest way to get a certificate.
@ -111,7 +112,7 @@ Both will be necessary to configure AdGuard Home.
> You will need to use the very same procedure to renew the existing
> certificate.
### <a href="#lego" id="lego" name="lego">Alternative to CertBot: Lego</a>
### <a href="#lego" id="lego" name="lego">Using Lego</a>
There's also a really nice and easy-to-use alternative to CertBot called
[lego][lego-source].
@ -186,7 +187,7 @@ their hostnames.
For example, if the configuration of the reverse proxy server contains the
following directives:
```none
```nginx
location /dns-query {
# …
proxy_set_header Host $host;
@ -210,6 +211,23 @@ inserted into `trusted_proxies` list directly. An official Cloudflare's
reference on restoring the original visitor's IP may be found
[here][cloudflare-real-ip].
### <a href="#other-hdrs" id="other-hdrs" name="other-hdrs">Other Headers</a>
Other HTTP headers may be supported by AdGuard Home in the future. However, any
headers-related feature requests should first be tried to be resolved by
configuring the reverse proxy itself.
For example, to implement the [HTTP Strict Transport Security][hsts] mechanism,
something like the following piece of configuration might be used:
```nginx
location /dns-query {
# …
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# …
}
```
[reverse-proxy-faq]: https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#how-to-configure-a-reverse-proxy-server-for-adguard-home
@ -217,6 +235,7 @@ reference on restoring the original visitor's IP may be found
[cloudflare-headers]: https://support.cloudflare.com/hc/en-us/articles/200170986
[cloudflare-addresses]: https://www.cloudflare.com/ips
[cloudflare-real-ip]: https://support.cloudflare.com/hc/en-us/articles/200170786
[hsts]: https://datatracker.ietf.org/doc/html/rfc6797

13
FAQ.md

@ -344,9 +344,11 @@ If you're already running a web server and want to access the AdGuard Home
dashboard UI from a URL like `http://YOUR_SERVER/aghome/`, you can use this
configuration for your web server:
### nginx
```none
```nginx
location /aghome/ {
proxy_cookie_path / /aghome/;
proxy_pass http://AGH_IP:AGH_PORT/;
@ -368,8 +370,8 @@ location /aghome/ {
}
```
Or, if you just want to serve AdGuard Home with automatic TLS, use
a configuration similar to the example shown below:
Or, if you just want to serve AdGuard Home with automatic TLS, use a
configuration similar to the example shown below:
```none
DOMAIN {
@ -393,9 +395,10 @@ AdGuard Home respond to DoH requests without TLS encryption.
**Since v0.107.0,** you can set the parameter `trusted_proxies` to the IP
address(es) of your HTTP proxy to make AdGuard Home take the headers containing
the real client IP address into account. See the [configuration page][conf] for
more information.
the real client IP address into account. See the [configuration][conf] and
[encryption][encr] pages for more information.
[encr]: https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption#reverse-proxy
[conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration

10
VPS.md

@ -7,20 +7,20 @@ To run AdGuard Home on a VPS, you need a server with Debian 8 or 9, x64 or x32.
## Initial installation
First let's ensure that your VPS has necessary minimal requirements, run this as root:
```bash
```sh
apt-get install sudo nano bind9-host
```
Go to [AdGuard Home page](https://github.com/AdguardTeam/AdGuardHome#installation) and download binaries for your architecture (64-bit Linux in this example).
To download AdGuard Home and unpack it execute following commands:
```bash
```sh
wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz
tar xvf AdGuardHome_linux_amd64.tar.gz
```
You can find out the directory where you've unpacked it to by running these commands:
```bash
```sh
cd AdGuardHome
pwd
```
@ -36,12 +36,12 @@ Here are the other commands you might need to control the service.
* `AdGuardHome -s status` - shows the current service status.
You can verify that it's working properly by running this command:
```bash
```sh
host doubleclick.net 127.0.0.1
```
If everything works correctly, you will get this output:
```
```none
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53